Thursday, May 25, 2006

Forensic Analysis Issues

I ran across something recently that I had researched before, and hadn't thought a lot about, so I thought I'd blog about it.

You're analyzing the image of a system that turns out to be a Windows XP system. You notice that several files of interest are referenced in the RecentDocs Registry key for a particular user, however, searches of both the "active" file system and the deleted files turn up nothing. You've dumped the contents of the UserAssist keys for that user and you don't see anything that would indicate that the user ran a privacy tool. Looking at the contents of the Prefetch directory, you find entries for the defrag tool.

Checking the dates on Registry keys (application/system MRU lists, etc.) and files (MAC times, as well as the dates maintained within the Prefetch files themselves) you see that the Recycle Bin was emptied after the files were opened/viewed, and the defrag tool was run after the Recycle Bin was emptied...not immediately after, but within a day or two.

So...what's going on? Well, it seems that part of the user "eXPerience" that is XP includes the Prefetch functionality, ostensibly to speed up the loading/launching of frequently used applications. Where does the defrag come in, you ask? Read this. Right beneath figure 1 is an explanation of the defrag activity, and while it isn't a full defrag, it happens, and could cause deleted files that you would normally expect to find to be overwritten.

This is definitely something to keep in mind during your analysis, as well as something to look for/document.

What are some of the issues that you've run into?

2 comments:

Anonymous said...

Hello Harlan,

Another thing to keep in mind related to prefetching and the "system" runnning defrag is that if a user intentionally run the defrag utility I believe it will show up as an MMC entry in the prefetch folder.

Andrew

Keydet89 said...

Andrew,

Thanks. More importantly, though, if the user intentionally runs the defrag utility, it will appear under his or her UserAssist key.

Thanks again,

Harlan